Connection to Azure Vault using MSI

Asked 28/2, 2018 at 10:32 Answered 22/3, 2019 at 5:37

Solved c .net azure azure-security shared-secret

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

Abecedarium answered 28/2, 2018 at 10:32 Comment(7)

Console app... running in Azure on a VM with the automagically generated service principal added to Key Vault's Access Policies? What do you mean by i have added my user as the Selected Principle, that's not how it works, the VM has its own SPN, use it. – Philippeville 28/2, 2018 at 10:40

I mean i added my AD user as a principle when setting up access policies in the azure vault – Abecedarium 28/2, 2018 at 10:42

I am running the console app locally – Abecedarium 28/2, 2018 at 10:45

What do you mean locally? The whole point of MSI is that it's implemented in the Azure resource. There's no mechanism in place for your local dev machine to acquire an access token. – Philippeville 28/2, 2018 at 10:46

Do i need to register my console app in azure? and use the applicationId and appSecret in the instance of the KeyVaultClient? – Abecedarium 28/2, 2018 at 11:0

How can i use vault to get secrets from a windows forms app or a console app? – Abecedarium 28/2, 2018 at 11:2

Yes, you need to register your app with Azure AD to get a client_id and client_secret. You'll then use those to acquire an access token for your vault resource. – Philippeville 28/2, 2018 at 11:47

Enable Managed Service Identity in the Configuration blade under your virtual machine.

Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

On your Azure VM, run the console app.

class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication

Philippeville answered 28/2, 2018 at 11:26 Comment(1)

AzureServiceTokenProvider allows use of developer Visual Studio identity or Azure CLI for local development. Please do not use Client ID and secret for this. The intent of MSI and AzureServiceTokenProvider is to not have developers deal with explicit credentials. Please refer this to use Visual Studio/ Azure CLI for local development. learn.microsoft.com/en-us/azure/key-vault/… – Boschbok 27/8, 2018 at 20:34

To run locally.

install Azure Cli
Open Windows Powershell
write az login command (it will give an url and code )
Open Url and enter the code which is given with az login

then get the secret value like this

 var secret =  await keyVaultClient.GetSecretAsync("https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");
     secret.Value; //your secret.

Azalea answered 2/5, 2018 at 11:30 Comment(0)

a correct answer is already given above, here's an additional one :-)

Azure MSI applying with App Service & Vault

Enable System Assigned Managed Identity for your App Service, check Identity section under settings.
Add Policy under Vault
configure your code behind

Chessa answered 22/3, 2019 at 5:37 Comment(0)

Recommended topics

Hot tags